google-auth-library-nodejs icon indicating copy to clipboard operation
google-auth-library-nodejs copied to clipboard
verified publisher icon googleapis

signBlob signatures guaranteed to be valid for only 12 hours

Open mhandugan opened this issue 3 years ago • 0 comments

The current comments fail to say how long a signed blob will be valid.

https://github.com/googleapis/google-auth-library-nodejs/blob/883cf2596664b7de8159fb29a8f16705218a2ad4/src/auth/googleauth.ts#L880

From the iam.serviceAccounts.signBlob documentation:

The key used for signing will remain valid for at least 12 hours after the blob is signed.

This means the default behavior only generates signatures valid for up to 12 hours (may be longer, but not guaranteed to be). This turns out to be a practical problem for most users of googleapis/nodejs-storage relying on the default authClient.sign behavior for signing URLs. Even when the TTL is specified in the signature (up to 7 days for v4 signatures) the default underlying signature is only good for up to 12 hours.

This should at least be documented in both the auth library and storage library, and the storage library may consider restricting TTLs on signed URLs to 12 hours (rejecting requests for longer TTLs when used with the service-account signBlob API)

mhandugan avatar Feb 15 '22 23:02 mhandugan